{"id":6333,"date":"2017-09-20T10:38:33","date_gmt":"2017-09-20T02:38:33","guid":{"rendered":"https:\/\/kyle.ai\/blog\/?p=6333"},"modified":"2017-12-21T21:00:21","modified_gmt":"2017-12-21T13:00:21","slug":"%e4%bd%bf%e7%94%a8lets-encrypt%e7%bb%99%e7%bd%91%e7%ab%99%e5%8a%a0%e4%b8%8a%e5%85%8d%e8%b4%b9https%e8%af%81%e4%b9%a6","status":"publish","type":"post","link":"https:\/\/kyle.ai\/blog\/6333.html","title":{"rendered":"\u4f7f\u7528Let&#8217;s Encrypt\u7ed9\u7f51\u7ad9\u52a0\u4e0a\u514d\u8d39HTTPS\u8bc1\u4e66"},"content":{"rendered":"<p>\u4e4b\u524d\u6211\u7528\u7684\u662fstartssl.com\u5bb6\u7684\u8bc1\u4e66\uff0c\u53c2\u8003\u4e4b\u524d\u7684\u6587\u7ae0\u300a<a href=\"https:\/\/kyle.ai\/blog\/6051.html\">Nginx\u914d\u7f6eSSL\u8bc1\u4e66<\/a>\u300b\uff0c\u4e0d\u8fc7\u6700\u8fd1chrome\u5df2\u7ecf\u4e0d\u4fe1\u4efb\u4ed6\u4eec\u7684\u8bc1\u4e66\u4e86\uff0c\u6240\u4ee5\u6362\u4e86Let&#8217;s Encrypt\u63d0\u4f9b\u7684\u514d\u8d39\u8bc1\u4e66\u3002<\/p>\n<p>\u5b98\u65b9\u7f51\u7ad9\uff1ahttps:\/\/letsencrypt.org\/\uff0c\u90e8\u7f72\u8d77\u6765\u5f88\u65b9\u4fbf\uff0c\u4f7f\u7528\u4ed6\u4eec\u63d0\u4f9b\u7684\u81ea\u52a8\u5316\u811a\u672c certbot\uff0c\u53c2\u8003 https:\/\/certbot.eff.org\/\u3002<\/p>\n<p>\u6211\u91c7\u7528\u7684\u662f certbot \u7684\u624b\u52a8\u6a21\u5f0f\uff0c\u53ea\u751f\u6210\u76f8\u5e94\u7684\u8bc1\u4e66\u6587\u4ef6\uff0cnginx\u914d\u7f6e\u6587\u4ef6\u662f\u6211\u624b\u52a8\u4fee\u6539\u7684\uff0c\u53c2\u8003\u6587\u6863\uff1a<a href=\"https:\/\/certbot.eff.org\/docs\/using.html#manual\">https:\/\/certbot.eff.org\/docs\/using.html#manual<\/a><\/p>\n<p>\u5728Ubuntu\u4e2d\u5b89\u88c5certbot\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n$ sudo apt-get update\r\n$ sudo apt-get install software-properties-common\r\n$ sudo add-apt-repository ppa:certbot\/certbot\r\n$ sudo apt-get update\r\n$ sudo apt-get install python-certbot-nginx \r\n<\/pre>\n<p>\u7136\u540e\u4f7f\u7528manual\u6a21\u5f0f\u751f\u6210\u8bc1\u4e66\u6587\u4ef6\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nsudo certbot certonly --manual\r\n<\/pre>\n<p>\u63a5\u4e0b\u6765\u6309\u7167\u63d0\u793a\u8f93\u5165\u8054\u7cfb\u4eba\u7684\u90ae\u7bb1\uff0c\u7136\u540e\u9700\u8981\u8ba4\u8bc1\u7684\u57df\u540d\uff0c\u518d\u6309\u8981\u6c42\u914d\u7f6e\u597d\u9a8c\u8bc1\u57df\u540d\u6240\u6709\u6743\u7684url\u3002<\/p>\n<p>\u9a8c\u8bc1\u90ae\u7bb1\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\r\nEnter email address (used for urgent renewal and security notices) (Enter 'c' to\r\ncancel): \r\n<\/pre>\n<p>\u8f93\u5165\u57df\u540d\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nPlease enter in your domain name(s) (comma and\/or space separated)  (Enter 'c'\r\nto cancel):\r\n<\/pre>\n<p>\u8981\u6c42\u914d\u7f6e\u8bbf\u95ee\u8def\u5f84\u6765\u9a8c\u8bc1\u57df\u540d\u6240\u6709\u6743\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nCreate a file containing just this data:\r\n\r\nomN85Bt3yGVVlSgguGBmO......\r\n\r\nAnd make it available on your web server at this URL:\r\n\r\nhttp:\/\/kyle.ai\/.well-known\/acme-challenge\/omN8uZRHsf3.......S58s\r\n\r\n-------------------------------------------------------------------------------\r\nPress Enter to Continue\r\n\r\n<\/pre>\n<p>\u7b49\u9a8c\u8bc1\u5b8c\u57df\u540d\u540e\uff0c\u8bc1\u4e66\u5c31\u751f\u6210\u6210\u529f\u4e86<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nIMPORTANT NOTES:\r\n - Congratulations! Your certificate and chain have been saved at:\r\n   \/etc\/letsencrypt\/live\/kyle.ai\/fullchain.pem\r\n   Your key file has been saved at:\r\n   \/etc\/letsencrypt\/live\/kyle.ai\/privkey.pem\r\n   Your cert will expire on 2017-12-19. To obtain a new or tweaked\r\n   version of this certificate in the future, simply run certbot\r\n   again. To non-interactively renew *all* of your certificates, run\r\n   &quot;certbot renew&quot;\r\n<\/pre>\n<p>\u751f\u6210\u7684\u57df\u540d\u8bc1\u4e66\u6709\u6548\u671f\u53ea\u67093\u4e2a\u6708\uff0c\u6240\u4ee5\u6700\u597d\u6bcf\u5929\u90fd\u7528\u547d\u4ee4\u884c\u6765\u7eed\u671f<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ncrontab -e \u540e\u6dfb\u52a0\u4e00\u6761\uff1a\r\n\r\n25 * * * * certbot renew\r\n<\/pre>\n<p>\u5982\u679crenew\u547d\u4ee4\u8fc7\u7a0b\u9047\u5230\u5982\u4e0b\u62a5\u9519\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nCert is due for renewal, auto-renewing...\r\nCould not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.\r\nThe error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)\r\nAttempting to renew cert (blog.zengrong.net) from \/etc\/letsencrypt\/renewal\/blog.zengrong.net.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.\r\nThe error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.\r\n<\/pre>\n<p>\u5219\u53ef\u901a\u8fc7\u5982\u4e0b\u547d\u4ee4\u624b\u52a8\u8fdb\u884c\u57df\u540d\u6240\u6709\u6743\u7684\u8ba4\u8bc1\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ncertbot certonly --debug --force-renew -a manual -d kyle.ai\r\n<\/pre>\n<p>Nginx\u914d\u7f6e\u7684\u8bdd\uff0c\u5728server\u8282\u70b9\u6dfb\u52a0\u51e0\u884c\uff0c\u793a\u4f8b\uff1a<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nlisten 443 ssl;\r\nssl_certificate \/etc\/letsencrypt\/live\/kyle.ai\/cert.pem;\r\nssl_certificate_key \/etc\/letsencrypt\/live\/kyle.ai\/privkey.pem;\r\nssl_session_timeout 5m;\r\nssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;\r\nssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\nssl_prefer_server_ciphers on;\r\nadd_header X-Frame-Options SAMEORIGIN;\r\nadd_header Strict-Transport-Security &quot;max-age=8640000;&quot;;\r\nadd_header X-Content-Type-Options: nosniff;\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u4e4b\u524d\u6211\u7528\u7684\u662fstartssl.com\u5bb6\u7684\u8bc1\u4e66\uff0c\u53c2\u8003\u4e4b\u524d\u7684\u6587\u7ae0\u300aNginx\u914d\u7f6eSSL\u8bc1\u4e66\u300b\uff0c\u4e0d\u8fc7\u6700\u8fd1chrome [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-6333","post","type-post","status-publish","format-standard","hentry","category-skill"],"_links":{"self":[{"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/posts\/6333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/comments?post=6333"}],"version-history":[{"count":4,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/posts\/6333\/revisions"}],"predecessor-version":[{"id":6366,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/posts\/6333\/revisions\/6366"}],"wp:attachment":[{"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/media?parent=6333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/categories?post=6333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/tags?post=6333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}